[Samba] "getpeername failed" error when signed communications policy enabled
Jeremy Allison
jra at samba.org
Wed Dec 14 15:11:56 MST 2011
On Wed, Dec 07, 2011 at 11:01:50AM +0000, Hilton, David wrote:
> Hi,
>
> I'm looking for help with an issue that we are seeing with the following
> configuration:
>
> We are using Samba (3.5.12-72.fc15) to share out CUPS printers from a Fedora
> 15 machine. However, a requirement of the system is that these printers are
> not directly visible from client systems (Windows 7 SP1 32-bit), so instead
> we are sharing them out from a Windows print server (Windows 2008 R2 SP1).
> So the clients connect to print queues on the Windows print server, which in
> turn forwards the print jobs on to CUPS.
>
> The issue we are seeing occurs when a policy change is made on the Windows
> 2008 R2 print server. If the "Microsoft network client: Digitally sign
> communications (always)" policy setting is enabled, we see the following
> behaviour:
>
> - Applications running on the print server can print normally.
> - Applications running on client machines fail to print.
>
> When a print job fails we see the following in the samba log for the client
> machine:
>
>
> [2011/12/07 10:43:23.381798, 2] auth/auth.c:304(check_ntlm_password)
> check_ntlm_password: authentication for user [XXX] -> [XXX] -> [XXX]
> succeeded
> [2011/12/07 10:43:39.760399, 0] lib/util_sock.c:474(read_fd_with_timeout)
> [2011/12/07 10:43:39.760476, 0]
> lib/util_sock.c:1441(get_peer_addr_internal)
> getpeername failed. Error was Transport endpoint is not connected
> read_fd_with_timeout: client 0.0.0.0 read error = Connection reset by
> peer.
>
>
>
> The smb.conf file that we are using is as follows:
>
> [global]
> #--authconfig--start-line--
>
> # Generated by authconfig on 2011/12/05 17:22:13
> # DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--)
> # Any modification may be deleted or altered by authconfig in future
>
> workgroup = LOW
> password server = LOWDC
> security = user
> idmap uid = 16777216-33554431
> idmap gid = 16777216-33554431
> template shell = /bin/false
> winbind use default domain = false
> winbind offline logon = false
> server signing = auto
> log level = 2
> log file = /var/log/samba.log.%m
> max log size = 50
> debug timestamp = yes
>
> #--authconfig--end-line--
> load printers = yes
> printing = cups
> printcap name = cups
> [printers]
> comment = All Printers
> path = /var/spool/samba
> browseable = no
> guest ok = yes
> writable = no
> printable = yes
> printer admin = root, @ntadmins, @smbprintadm
> use client driver = yes
>
>
>
>
>
> If the "Microsoft network client: Digitally sign communications (always)"
> setting is disabled it all works OK, but disabling this policy setting is
> not an allowed option at present.
That sounds like a signing error - do you see such in the
Samba logs ?
Jeremy.
More information about the samba
mailing list